Dear Theodoros,
Il mercoledì 4 febbraio 2009 14:04:37 [email protected] ha scritto:
> I was looking for a way to make "approvals" disappear for users that
> have no referee rights.
> create_userinfobox_body calls tmpl_create_userinfobox with "true" for
> submitter, referee and admin (and yes, I see the FIXME comments).
>
> I was wondering if you have an update for the isUserReferee
> function... Isn't it enough to check if
> acc_find_possible_actions_user(uid,acc_get_action_id('referee')) is
> empty or not?
After the introduction of the Firewall Like Role definitions (FireRole :-)
user may be connected to roles (and hence authorized to some actions) both in
an explicit (and traditional) way, and in an implicit way (by means of the
FireRole definition assigned to a role). This has brought lots of flexibility
in the way authorization can now be configured, but unfortunately some checks
have now become rather complex (in terms of computation).
In particular acc_find_possible_actions_user, is returning at the moment only
the action connected to the roles the user belongs explicitly to. No check is
performed at the moment for the roles the user belongs implicitly.
To add such a check, the function would need to iterate over all the Roles
that have a FireRole definition and to check whether the user is linked to
the definition or not, and this is computational heavy. Unfortunately this
can't be really cached, because a FireRole definition might use runtime
information such as the IP address, the referer URL (although this is not a
very common usage). So the problem is that in order to really fix the
isUserReferee, we need to enhance acc_find_possible_actions_user, which will
have a computational time linear to the number of roles in the system. At
CERN, for example this is a big number. However, given that the number of
roles in a given installation of Invenio might be small or reasonable, it is
worth to finally fix the isUserReferee and friends set of functions.
I'll push it higher in the TODO list...
Thanks a lot for the very detailed feedbacks.
> ps. I will hopefully keep quiet for the rest of the day :)
But we hope you'll keep with feedbacks again tomorrow ;-)
Best regards,
Samuele
--
Samuele Kaplun ** CERN Document Server ** <http://cds.cern.ch/>
